WebKit contains a use-after-free error in the 'RenderBox::positionLineBox' function in WebCore/rendering/RenderBox.cpp when handling inline box wrappers. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Check the vendor advisory, changelog, or solution in the references section for details.

• Security Tracker: 1026774
• Related OSVDB ID: 79905 79906 79907 79908 79909 79911 79912 79913 79914 79915 79916 79917 79918 79919 79920 79921 79922 79923 79924 79925 79926 79927 79928 79929 79930 79931 79932 79933 79934 79935 79936 79937 79938 79939 79940 79941 79942 79943 79944 79945 79946 79947 79948 79949 79950 79951 79952 79953 79954 79955 79956 79964
• CVE ID: 2011-2871 (see also: NVD)
• Secunia Advisory ID: 48274 48288 48377
• Mail List Post: http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html
  http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
  http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
• Vendor Specific Advisory URL: http://support.apple.com/kb/HT5190
  http://support.apple.com/kb/HT5191
  http://support.apple.com/kb/HT5192
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/94001
• Vendor Specific News/Changelog Entry: https://bugs.webkit.org/show_bug.cgi?id=66015 [ Auth Req'd ]
  https://code.google.com/p/chromium/issues/detail?id=91911

• Abhishek Arya (Inferno) - Google Chrome Security Team